I've been working on a server migration recently, and cleaning up permissions issues on some cloned Windows 2008 servers. I routinely use procmon to narrow down permissions issues and fix them, then resume testing.
Something that boggles my mind is when I assign the proper permissions, and then run the test again, and still receive the same "ACCESS DENIED" error in procmon for the same exact user that I just assigned Full Control on for that directory or registry key that fails.
How is this technically possible? Other than not having the proper ACL set, why would ACCESS DENIED be returned?
In this specific headache, I have an Active Directory account that we use to run our services that need to be able to span multiple servers, and it consistently receives ACCESS DENIED errors on HKEY_CLASSES_ROOT\Wow6432Node\CLSID. I have tripled checked that this user has Full Control access on this key, yet it still happens.
For what it's worth, here are the details from procmon:
Date & Time: 8/9/2011 5:13:27 PM
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKCR\Wow6432Node\CLSID
TID: 5084
Duration: 0.0000073
Desired Access: Read
Description: Event Alarm Service
Company: Dorian Software Creations, Inc.
Name: EvtAlarm.exe
Version: 6.0.0.148
Path: C:\Program Files (x86)\Event Alarm\EvtAlarm.exe
Command Line: "C:\Program Files (x86)\Event Alarm\EvtAlarm.exe"
PID: 5232
Parent PID: 616
Session ID: 0
User: OUR\SpecialUser
Auth ID: 00000000:09af42e2
Architecture: 32-bit
Virtualized: False
Integrity: High
Started: 8/9/2011 5:13:27 PM
Ended: 8/9/2011 5:13:39 PM
Edit: Thanks everyone for the feedback. I have solved our underlying problem, although my question still stands as I don't feel what I did is truly an explanation, therefore I am not going to post this as an official answer. Following advice from the company that makes the software in question, I added the service account in question to the local Administrators group, and now it is able to start successfully, and the ACCESS DENIED errors are gone. It still makes no sense to me, as the permissions (including effective permissions) showed that this service account should have had the right to access the registry key that was being denied…
Best Answer
Most likely the token for the user has not been regenerated. When a user logs in / authenticates a security token is generated to them with all of their permissions. When alterations to permissions take place the user needs to have their security token regenerated either with the local SAM or the domain controller. Usually that is only an issue for user rights assignments and not object permissions though.
Another possibility is the concept if denials taking precedence over allows. It's possible for a denial to be higher up the inheritance chain that is cascading down and causing the permission problems.